On Wed, Feb 22, 2012 at 07:18:00AM -0800, Ronald S. Bultje wrote: > Hi, > > On Tue, Feb 21, 2012 at 10:36 AM, Ronald S. Bultje <[email protected]> wrote: > > From: "Ronald S. Bultje" <[email protected]> > > > > We read sub_packet_h / 2 packets per line of data (during deinterleaving), > > which equals zero if sub_packet_h <= 1, thus causing us to not read any > > data, leading to an infinite loop. > > > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > > CC: [email protected] > > --- > > libavformat/rmdec.c | 1 + > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c > > index ee8abdd..ed16b07 100644 > > --- a/libavformat/rmdec.c > > +++ b/libavformat/rmdec.c > > @@ -265,6 +265,7 @@ static int rm_read_audio_stream_info(AVFormatContext > > *s, AVIOContext *pb, > > switch (ast->deint_id) { > > case DEINT_ID_INT4: > > if (ast->coded_framesize > ast->audio_framesize || > > + sub_packet_h <= 1 || > > ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & > > 1)) * ast->audio_framesize) > > return AVERROR_INVALIDDATA; > > Ping. This fixes an infinite loop on files using INT4 deinterleaving > and coding 1 or 0 as sub_packet_h.
probably OK _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
